Jump to content
Pyro411

KES10SP2 Hinders Office 2010 on Windows 10 1709

Recommended Posts

Just an odd interesting one...

On a clean load of the fall creator's update, or an update from the Spring to Fall creators update to the fall creators update I'm experiencing the following issue with Office 2010 Standard 32 Bit

 

I can create a file and save it, however making any modifications to the file and hitting save again prompts me with errors upon saving - usually file permission error, however once KES10SP2 is uninstalled everything works again.

I've verified this on Documents/Excel Spreadsheets/Outlook Signature modifications

All Microsoft Updates & KES Updates as of 10/25/2017 are installed

Share this post


Link to post
1 hour ago, Pyro411 said:

Just an odd interesting one...

On a clean load of the fall creator's update, or an update from the Spring to Fall creators update to the fall creators update I'm experiencing the following issue with Office 2010 Standard 32 Bit

 

I can create a file and save it, however making any modifications to the file and hitting save again prompts me with errors upon saving - usually file permission error, however once KES10SP2 is uninstalled everything works again.

I've verified this on Documents/Excel Spreadsheets/Outlook Signature modifications

All Microsoft Updates & KES Updates as of 10/25/2017 are installed

Hello,

please attach screenshot of error message and KES settings.

Thank you.

 

Share this post


Link to post

Thank you for the quick reply.

 

Since my post I have done a bit more testing and found that doing an upgrade to the version 11.xxx beta writing to documents in office is functional there and the settings from 10SP2 seem to still be in place.

 

Note the Settings.cfg & Error image both have come from a new computer with a clean load of Windows 10 and Kaspersky as of 10/23/2017 with all updates installed and not a computer that had the fall creators update installed as a patch from a previous version.

Error on doc save.png

Settings.cfg

Share this post


Link to post
48 minutes ago, Pyro411 said:

the settings from 10SP2 seem to still be in place.

Did you create a new policy for KES 11 or converted from SP2 ?

Thank you.

 

Share this post


Link to post
1 minute ago, Dmitry Eremeev said:

Did you create a new policy for KES 11 or converted from SP2 ?

Thank you.

 

For the system running KES11 I did an inplace upgrade locally and not via the command center so I'm assuming it just converted the policy previously pushed to systems for KES 10 SP2 and made a local copy of the configuration set.

Included are the settings that came off of the Beta Client & policy the non beta client loaded prior to the upgrade.

Beta Settings.cfg

KES10SP2.klp

Share this post


Link to post
3 hours ago, Pyro411 said:

Just an odd interesting one...

On a clean load of the fall creator's update, or an update from the Spring to Fall creators update to the fall creators update I'm experiencing the following issue with Office 2010 Standard 32 Bit

 

I can create a file and save it, however making any modifications to the file and hitting save again prompts me with errors upon saving - usually file permission error, however once KES10SP2 is uninstalled everything works again.

I've verified this on Documents/Excel Spreadsheets/Outlook Signature modifications

All Microsoft Updates & KES Updates as of 10/25/2017 are installed

Hello.

Please clarify whether only uninstalling KES resolves the issue. Does simply exiting KES or disabling all components (or, specifically, some particular component) resolve it as well? Please collect KES traces while all other components are off, and the issue is reproduced. Also, please provide a GSI report from the host.

Unfortunately, before the release of KES 11, its behavior can only be investigated as part of the beta-testing.

Thank you.

Share this post


Link to post
30 minutes ago, Kirill Tsapovsky said:

Hello.

Please clarify whether only uninstalling KES resolves the issue. Does simply exiting KES or disabling all components (or, specifically, some particular component) resolve it as well? Please collect KES traces while all other components are off, and the issue is reproduced. Also, please provide a GSI report from the host.

Unfortunately, before the release of KES 11, its behavior can only be investigated as part of the beta-testing.

Thank you.

Uninstalling does solve the issue with  being able to write Microsoft 2010 files

Doing a Pause system protection & control does not solve the problem

-- Traces included, currently re-running the GSI & attempting to get it below 4MB in size

Kaspersky Lab.zip

Share this post


Link to post
1 hour ago, Kirill Tsapovsky said:

Hello.

Please clarify whether only uninstalling KES resolves the issue. Does simply exiting KES or disabling all components (or, specifically, some particular component) resolve it as well? Please collect KES traces while all other components are off, and the issue is reproduced. Also, please provide a GSI report from the host.

Unfortunately, before the release of KES 11, its behavior can only be investigated as part of the beta-testing.

Thank you.

My GSI is about 4.6MB in size... down to about 4.4MB in size using 7zip 16's ultra compression, is there a method for getting it up to you as is, or should I re-run it without windows logs to see if that reduces "about 5MB in total pre compression" the size enough to upload here?

Share this post


Link to post

Hello,

I had the same problem with some my customers today.

The configuration was KES 10SP2, Windows 10 1709 x64 and OFFICE 2016 32bit.

When the users tried to save a modified word file (locally or on a network folder), they received the message "Word cannot complete the save due to a file permission error".

After that I removed KES10SP2 , everything works again..

Best regards,

Stefano

Share this post


Link to post
1 hour ago, Pyro411 said:

My GSI is about 4.6MB in size... down to about 4.4MB in size using 7zip 16's ultra compression, is there a method for getting it up to you as is, or should I re-run it without windows logs to see if that reduces "about 5MB in total pre compression" the size enough to upload here?

Please clarify whether all components in KES were disabled at the time traces were collected. If possible, please do "Pause protection and control" and collect a set of traces together with a procmon log. This will allow to see which processes actually modify permissions and how.
GSI report can be uploaded to any resource, and a link provided here.

 

storelli Thank you for reporting. We will investigate based on information provided by Pyro411, and post about the progress in this topic.

 

Thank you.

Share this post


Link to post
4 minutes ago, Kirill Tsapovsky said:

Please clarify whether all components in KES were disabled at the time traces were collected. If possible, please do "Pause protection and control" and collect a set of traces together with a procmon log. This will allow to see which processes actually modify permissions and how.
GSI report can be uploaded to any resource, and a link provided here.

 

storelli Thank you for reporting. We will investigate based on information provided by Pyro411, and post about the progress in this topic.

 

Thank you.

GSI can be found here;

https://drive.google.com/open?id=0By_x-J-Ecj7KbjE5VWVRSjdoTjg

Procmon PML file can be found here -- warning it's about 850MB when decompressed

https://drive.google.com/open?id=0By_x-J-Ecj7KLUdRQWZqNnZsQW8

 

New trace logs attached - All Endpoint controls and protections disabled via pause protection and control during gathering of traces & procmon 

Traces.zip

Share this post


Link to post
6 hours ago, Pyro411 said:

GSI can be found here;

https://drive.google.com/open?id=0By_x-J-Ecj7KbjE5VWVRSjdoTjg

Procmon PML file can be found here -- warning it's about 850MB when decompressed

https://drive.google.com/open?id=0By_x-J-Ecj7KLUdRQWZqNnZsQW8

 

New trace logs attached - All Endpoint controls and protections disabled via pause protection and control during gathering of traces & procmon 

Traces.zip

Issue 2445103 created for developers' analysis. As soon as we receive a reply from them, we will update this topic.

Thank you.

Share this post


Link to post

Hello!

Could you please check if the disabling the driver klvfs would solve the issue?

Please also install the patch pf3099. You can get it in the incident via companyaccount.kaspersky.com

Thanks!

Share this post


Link to post
3 hours ago, Ivan.Ponomarev said:

Hello!

Could you please check if the disabling the driver klvfs would solve the issue?

Please also install the patch pf3099. You can get it in the incident via companyaccount.kaspersky.com

Thanks!

Good morning;

 

Sadly I'm not seeing an incident for this in my company account & created a new company account connected to the email that's identical to the one on the forum, I did submit a request to get it though via the ticket system in the company account portal.

 

Sorry silly question, what's the best method to disable the klvfs driver?

Share this post


Link to post

You create an incident in your company account at companyaccount.kaspersky.com and there you can ask fot the patch. 

You disable the driver by renamig it. 

Thanks!

Share this post


Link to post
8 hours ago, Ivan.Ponomarev said:

Hello!

Could you please check if the disabling the driver klvfs would solve the issue?

Please also install the patch pf3099. You can get it in the incident via companyaccount.kaspersky.com

Thanks!

Small problem with PF3099... after installing & rebooting... I lost access to the use of my keyboard/mouse and network connectivity and wound up having to do a system restore to get back into the system in question.

Share this post


Link to post
3 hours ago, Pyro411 said:

Small problem with PF3099... after installing & rebooting... I lost access to the use of my keyboard/mouse and network connectivity and wound up having to do a system restore to get back into the system in question.

Hello,

please give us the ticket number.

Did you try to rename the driver and reboot the machine ?

Thank you.

 

Share this post


Link to post
15 hours ago, Dmitry Eremeev said:

Hello,

please give us the ticket number.

Did you try to rename the driver and reboot the machine ?

Thank you.

 

Good morning;

Sorry for the delay, the ticket number for when I got the file is INC000008419620

After renaming klvfs.sys and rebooting I'm able to modify files via office again

I did also try loading PF3099 after renaming klvfs.sys as a test, however upon boot it was stuck at the login screen with all forms of input that I tested were disabled "Keyboard/mouse/Incoming RDP sessions" however the clock continued on properly so it wasn't a hard system lock.  -- This required a system restore to regain functionality.

Share this post


Link to post
4 minutes ago, Konstantin Antonov said:

Did you installed any Service Packs on Office 2010?

Thank you!

Yes, Office 2010 Professional Plus SP2 fully patched via Windows Updates

Share this post


Link to post
21 hours ago, Pyro411 said:

Good morning;

Sorry for the delay, the ticket number for when I got the file is INC000008419620

After renaming klvfs.sys and rebooting I'm able to modify files via office again

I did also try loading PF3099 after renaming klvfs.sys as a test, however upon boot it was stuck at the login screen with all forms of input that I tested were disabled "Keyboard/mouse/Incoming RDP sessions" however the clock continued on properly so it wasn't a hard system lock.  -- This required a system restore to regain functionality.

The patch is not known to cause such issues; furthermore, it potentially fixes the described issue. If possible, please check if this behavior is reproduceable, or if another test host can be used. If reproduced, please describe the exact actions that lead to this. Did you rename the driver back before installing the patch? What happens if you disable Device Control (via policy, or after excluding this host from the group that enforces a policy) before installing the patch?

Thank you.

Share this post


Link to post

Hello,

We are also facing the same issue. We are using KES 10 SP2, Windows 10 Update 1703 as well as some systems Update 1709 and all systems have Office 2016 x64. Users are complaining that they can not edit and save excel files both local and network shared.

Can you please tell me what is disabling klvfs driver? how can i do that? can i do it centrally from policy or need to do individually in each system? Can you please tell me steps how to disable it?

Thanks,

Dhyanesh Mehta

Share this post


Link to post
5 hours ago, dhyanesh.mehta said:

Hello,

We are also facing the same issue. We are using KES 10 SP2, Windows 10 Update 1703 as well as some systems Update 1709 and all systems have Office 2016 x64. Users are complaining that they can not edit and save excel files both local and network shared.

Can you please tell me what is disabling klvfs driver? how can i do that? can i do it centrally from policy or need to do individually in each system? Can you please tell me steps how to disable it?

Thanks,

Dhyanesh Mehta

Hello,

On 10/25/2017 at 9:26 PM, Kirill Tsapovsky said:

Please clarify whether only uninstalling KES resolves the issue. Does simply exiting KES or disabling all components (or, specifically, some particular component) resolve it as well?

If nothing helps, please create an incident in CA and ask pf3099

Thank you.

 

Share this post


Link to post
On 10/28/2017 at 7:17 AM, Kirill Tsapovsky said:

The patch is not known to cause such issues; furthermore, it potentially fixes the described issue. If possible, please check if this behavior is reproduceable, or if another test host can be used. If reproduced, please describe the exact actions that lead to this. Did you rename the driver back before installing the patch? What happens if you disable Device Control (via policy, or after excluding this host from the group that enforces a policy) before installing the patch?

Thank you.

Good morning;

 

Sorry I was away yesterday & won't be able to test on a different PC until tomorrow.

First patch attempt, I had just run through the wizard without disabling kaspersky

Second patch attempt, I had disabled policy & protection -- I didn't disable Device Control

Third Patch attempt, I had disabled policy & protection after a reboot after renaming klvfs.sys & rebooting - however I didn't disable device control before patching

 

The system in question was my laptop at the office with the following basic info.

Lenovo Thinkpad E570

Windows 10 Creator's Update (Spring version loaded on a new Samsung Pro 960 in August I believe) -- Version 1709 installed via Windows Updates no WSUS server.

Bit Locker Turned on upon load

All Drivers updated

All Windows patches installed

Office 2010 Professional Pro Plus - Service Pack 2 plus all updates available via Windows Updates installed.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.